February Sees Dramatic Rise in Insider Healthcare Data Breaches

In its most recent healthcare data breach report. Protenus has indicated that the month of February witness a significant increase in insider healthcare data breaches.

The February Breach Barometer report shows that there were 31 reported healthcare data breaches during February. Although that number is equal to January 2017, when a total of 31 healthcare data breaches were also reported, the number of insider healthcare data breaches rose considerably in February.

Insider incidents in February amounted to 58% of the overall number of reported breaches, double that of January. Those incidents were, roughly, half malicious acts and half errors. Eight incidents were the consequence of wrong doing by insiders and nine incidents were registered as errors that had been made by healthcare workers.

The recent increase in insider healthcare data breaches is worrying. Healthcare organizations have been investing more in their perimeter defenses so as to avoid ePHI access by hackers, however defenses against insider breaches are regularly found to be insufficient. Furthermore, it is taking far too much time for the said incidents to be detected.

HIPAA Rules require that entities covered by it maintain ePHI access logs and regularly audit those logs to identify any improper access which may have been made by healthcare employees. On too many occasions, the ePHI access logs are not verified often enough. As a consequence, rogue employees can access patients’ PHI for extended periods prior to their actions being detected.

It is often the case that employees access ePHI out of simple curiosity. Nevertheless, individuals’ health information and Social Security numbers can be very valuable to identity thieves and other types of fraudster. Unlawfully obtained healthcare information is regularly used for a range of nefarious purposes. Quickly detecting incidents of improper access can help to limit the damage caused by such data breaches. A smaller number patients are then effected, thieves have less time in which to use the data before protective measures are put in place and the healthcare organizations concerns will incur lower levels of breach resolution costs.

Nevertheless, February’s figures would suggest that it is taking healthcare providers much longer to detect data breaches. In January the average time from the date of the occurrence of the data breach and its reporting to the Department of Health and Human Services’ Office for Civil Rights was 174 days. In February, that period increased to 478 days.

Two of the incidents reported in February had in fact taken more than five years to discover, one being a case of improper access by an employee that took a grand total of 2,103 days to discover and report. The other, which concerned a software glitch, took a total of 1,952 days to discover and report.

Ordinarily any insider breach should be uncovered during a regularly scheduled review of PHI access logs, while a software glitch should be identified during risk assessment. Although it is not possible for healthcare organizations to prevent all data breaches, policies and procedures should be sufficiently developed to guarantee that incidents of this nature are quickly detected.

In February, almost one fifth of breaches concerned devices that had been lost or stolen. Encryption technologies may have been able to prevent those breaches. Hacking, although a grave problem for the healthcare industry in recent months, was in fact down. Only 12% of the breaches that were reported in February were due to hacking.

Healthcare providers suffered the most breaches during February, totaling 77% of all breaches. Health plans reported 13% of breaches. Business associate breaches accounted for 3% of the month’s total.

Although the overall numbers of healthcare data breaches in February and January were identical, there was a significant reduction in exposed or stolen records. January saw the breach of 388,207. In February that figure fell to 206,151.